By Dr. Toh Shang Yee, Head of Information Security - CISO, MCIS Life - Malaysia
“Where risk is invisible, governance fails.
Agentic AI enables it visible at real-time, accountable, and resilient.”
The Malaysian insurance sector is undergoing a defining moment. Faced with increasing cyber threats, rapid digitalisation, and intensified regulatory scrutiny, insurers, particularly small and medium-sized players, are now expected to demonstrate not only compliance but also active resilience. With policies such as central bank - Bank Negara Malaysia’s Risk Management in Technology (RMiT), the National jurisdiction of Cybersecurity Act 2024, and the further enhanced privacy protections from Personal Data Protection Act (PDPA), Data Sharing Bills and coming up AI legislations, the industry has made strides in laying foundational controls. But compliance alone is no longer enough.
In many Malaysian insurers, core risk functions across all lines of defence are still executed through spreadsheets, unstructured files, PDF logs, and email trails. This fragmented approach may fulfil audit requirements, but it lacks the scalability and agility required to manage emerging risks. The gap is no longer just about compliance — it is about visibility, prioritisation, and the speedy ability at which organisations can detect, assess, and respond to threats. Boards are calling for real-time assurance, while regulators expect demonstrable evidence of control effectiveness and proactive incident response.
According to the AI Index Report 2024 by Stanford University’s Human-Centered Artificial Intelligence (HAI), AI adoption in financial services has significantly matured, with 28% of organisations actively deploying AI in risk domains — the second highest application area but continuously evolving after service operations. This trend highlights a growing shift in the industry, where AI is increasingly leveraged for customer engagement and core risk management, compliance, and governance functions.
In addition from the Malaysian Ministry of Human Resources, a latest impact study in 2024 examines roles significantly shaped by advancements in AI, digitalisation, and the green economy into areas of risks and governance domains, aiming to identify future-ready career pathways and the critical skills required for the Malaysian workforce. It also highlights emerging capabilities arising from these trends, designed to strengthen the sector’s competitiveness and long-term resilience.
As a result for Malaysia’s insurance sector, particularly small and medium-sized players, this statistic signals a critical opportunity to embrace AI in transforming traditional GRC into a real-time, data-driven, and strategically quantifiable function—one that aligns not only with regulatory expectations but also strengthens institutional resilience and trust.
A quantitative simulation using the FAIR (Factor Analysis of Information Risk) methodology on a typical mid-sized Malaysian insurer highlights the urgency. The Monte Carlo simulation ran 50,000 iterations to assess risk exposure resulting from weak or delayed GRC practices. The outcome was striking: a median annual loss exposure of RM 5.2 million, with 95th percentile estimates reaching RM 17.5 million, and worst-case scenario exposure exceeding RM 38 million. These are not hypothetical figures — they represent real exposure potentials due to delayed detection, inconsistent control application, and a lack of integrated assurance.
To meet this challenge, technology must move beyond automation. What Malaysia needs is Agentic Artificial Intelligence (Agentic AI) — an advanced class of AI systems designed to act on behalf of users while maintaining transparency, explainability, and control. Agentic AI systems support human decision-makers without replacing them but perfect augmentations, allowing organisations to scale their GRC capabilities without losing oversight. In the insurance context, these systems can perform tasks such as real-time control monitoring, RCSA automation, policy exception flagging, and incident alerting — all in compliance with local governance expectations.
In this model, the role of each line of defence is enhanced. First line teams are supported with AI co-pilots that assist with policy adherence, documentation, and control self-assessments. Second line functions enabled by Agentic AI to track control breakdowns, simulate potential exposures using FAIR logic, and manage compliance dashboards. At third lines, Internal audit functions, traditionally retrospective, gain real-time visibility into assurance performance and model-derived insights into where vulnerabilities may lie. The result is a system that not only identifies control failures but actively recommends the highest-priority corrective actions. For beyond the three lines, such as external stakeholders, regulators, and Board committees, Agentic AI enables explainable, on-demand reporting, transparent evidence trails, and governance-level visibility that reinforces trust and accountability across the enterprise.
However, AI alone cannot build trust. In Malaysia, human oversight remains a cultural and regulatory expectation. Thus, any adoption of AI must be humanised. This means integrating human-in-the-loop values at all critical GRC decision points. Where AI flags a policy exception, human judgement remains final. Where models recommend a control override, a human approval is mandated. Furthermore, AI systems must be auditable, traceable, and aligned with standards like ISO/IEC 42001 and local laws such as Act 854.
Building this trust requires more than technology. It requires an ecosystem: AI governance boards, workforce upskilling, and cross-functional engagement. Insurance businesses can start by piloting Agentic AI use cases in low-risk areas such as second-line control mapping and audit readiness. From there, maturity can scale. A localised roadmap — grounded in frameworks like NIST AI RMF and TOGAF — allows for phased implementation: vision, architecture, prioritised use cases, training, governance, and continuous monitoring. Each step is reinforced by FAIR-based quantifiable exposure modelling and alignment with expectations from multiple dimensions.
The outcomes are not only operational — they are strategic. Insurers that successfully implement humanised Agentic AI can expect up to 70% automation of repetitive GRC tasks. With FAIR-driven risk quantification embedded in dashboards, boards will gain visibility into real-time exposure and control assurance. Regulatory reporting becomes dynamic and evidence-backed. Internal audit efforts are streamlined. Most importantly, policyholder trust is reinforced through transparent, explainable systems that reflect ethical governance.
The business case is clear. The cost of inaction — based on RM 5.2 million median exposure — is far higher than the investment required for phased AI enablement. For Malaysia’s SME insurers, this is a levelling moment. Agentic, humanised AI enables smaller players to match the GRC precision of larger incumbents as competitive with larger enterprises, not through headcount but through intelligent augmentations and capabilities.
Moving from compliance to competitive trust is no longer optional — it is a leadership imperative. Malaysia’s insurers must now decide whether to remain at the margins of regulatory survival or to lead with a future-ready posture where risk is measured, assurance is intelligent, and governance becomes a strategic differentiator.
This transformation begins not with AI alone, but with the enablement of digital trust, human inclusion, and responsible augmentation. It calls for empowering people at the centre of intelligent systems — ensuring that Agentic AI supports, not supplants, ethical judgement, accountability, and resilience. The true future of governance lies in elevating human capability through trusted intelligence technology, shaping insurers who are not only compliant, but confidently future-proof.
